Cyber Resilience

CVE-2025-13342

Critical

Published: 03 December 2025

Published
03 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13342 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-13342 affects the Frontend Admin by DynamiApps plugin for WordPress in all versions up to and including 3.28.20. The vulnerability enables unauthorized modification of arbitrary WordPress options due to insufficient capability checks and input validation in the ActionOptions::run() save handler. It has been assigned CWE-862 (Missing Authorization) and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity stemming from network accessibility without authentication or user interaction.

Unauthenticated attackers can exploit this flaw by submitting crafted form data to public frontend forms provided by the plugin. Successful exploitation allows modification of critical WordPress options, such as users_can_register, default_role, and admin_email, potentially enabling attackers to create unauthorized administrator accounts, alter site registration settings, or redirect administrative notifications.

Mitigation details are outlined in advisories from Wordfence and the WordPress plugin trac repository, including changeset 3400432 which addresses the issue in the ACF Frontend Form Element. Security practitioners should update the plugin to a version beyond 3.28.20 and review any modified options on affected sites.

EU & UK References

Vulnerability details

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler.…

more

This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

CVE enables unauthenticated exploitation of a public-facing WordPress plugin (T1190) to modify options like users_can_register and default_role, facilitating local account creation with admin privileges (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2446Shared CWE-862
CVE-2025-5483Shared CWE-862
CVE-2026-2992Shared CWE-862
CVE-2023-53923Shared CWE-862
CVE-2025-8059Shared CWE-862
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations and capability checks to prevent unauthenticated attackers from modifying arbitrary WordPress options via the ActionOptions::run() handler.

prevent

Validates inputs to crafted form data submissions in the plugin's save handler, directly addressing the insufficient input validation that enables unauthorized option modifications.

prevent

Applies least privilege to restrict unauthenticated access, mitigating the missing capability checks that allow changes to critical options like users_can_register and default_role.

References